libcli:smb: Use GnuTLS AES128 CMAC in smb2_signing_sign_pdu()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adapted by Andrew Bartlett to followup from earlier patch to
allow compile without GnuTLS over the whole series.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 01027d55fbeddf5a7fb1be034bb257bdb4646fe0..b7c0be528b7c2c701fea5862a5e0c4fd9a4c28dc 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -24,6 +24,11 @@
 #include "../lib/crypto/crypto.h"
 #include "lib/util/iov_buf.h"
 
+#ifndef HAVE_GNUTLS_AES_CMAC
+#include "lib/crypto/aes.h"
+#include "lib/crypto/aes_cmac_128.h"
+#endif
+
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -96,6 +101,33 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
        SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
 
        if (protocol >= PROTOCOL_SMB2_24) {
+#ifdef HAVE_GNUTLS_AES_CMAC
+               gnutls_datum_t key = {
+                       .data = signing_key->blob.data,
+                       .size = MIN(signing_key->blob.length, 16),
+               };
+               int rc;
+
+               if (signing_key->hmac_hnd == NULL) {
+                       rc = gnutls_hmac_init(&signing_key->hmac_hnd,
+                                             GNUTLS_MAC_AES_CMAC_128,
+                                             key.data,
+                                             key.size);
+                       if (rc < 0) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
+               }
+
+               for (i = 0; i < count; i++) {
+                       rc = gnutls_hmac(signing_key->hmac_hnd,
+                                        vector[i].iov_base,
+                                        vector[i].iov_len);
+                       if (rc < 0) {
+                               return NT_STATUS_INTERNAL_ERROR;
+                       }
+               }
+               gnutls_hmac_output(signing_key->hmac_hnd, res);
+#else /* NOT HAVE_GNUTLS_AES_CMAC */
                struct aes_cmac_128_context ctx;
                uint8_t key[AES_BLOCK_SIZE] = {0};
 
@@ -112,6 +144,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
                aes_cmac_128_final(&ctx, res);
 
                ZERO_ARRAY(key);
+#endif /* HAVE_GNUTLS_AES_CMAC */
        } else {
                uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
                int rc;